Java Vulnerability Latest News

The recent
vulnerabilities discovered in Java that attackers used to spread
malware? Have you installed the latest out of band update that Oracle
released in order to close those vulnerabilities? Think it’s time to
move on to other stories? Well, think again.

Computer World
is reporting that another serious vulnerability in the latest update
has been discovered that could allow an attacker to escape the Java
security sandbox and run arbitrary code on your system. The
vulnerability was discovered by a Polish security firm called Security
Explorations and has been reported to Oracle, according to their CEO,
Adam Gowdiak. He has also stated that they will not be releasing any
technical details on the vulnerability until Oracle issues a fix.
In an email to IDG News Service, he states,

“Once we found that our complete Java sandbox bypass
codes stopped working after the update was applied, we looked again at
POC codes and started to think about the possible ways of how to fully
break the latest Java update again,” Gowdiak said. “A new idea came, it
was verified and it turned out that this was it.”

Oracle hasn’t hinted whether they will be releasing an out of band
update like the previous one or just include the patch in the scheduled
October update. With vulnerabilities being discovered at such a fast
pace, it might be time for Oracle to re-consider their four month update
cycle. With the time span for fixing these vulnerabilities increasing,
the chances of these vulnerabilities being used to attack users also
increase leaving users with greater risk.
At this moment, the best option for you is to disable Java if you
don’t really use it. Alternately, you can disable Java in your primary
browser and use a secondary browser only to use web apps that require
Java (if you absolutely need to use those web apps and is sure that
those are not rogue) so that you don’t wander into compromised websites
that make use of Java vulnerabilities.